Errors in issuing or replacing an SSL certificate for the platform

This article describes solutions to possible errors that may occur when issuing or replacing a platform certificate.

Failed to start new daemon with ssl

The ihttpd web server does not start when the certificate is replaced. The /usr/local/mgr5/var/ihttpd.log has an error similar to:

Nov 23 06:57:11 [1680:1] main WARNING Failed to listen: ip '10.10.11.15', port '443'. Reason: Failed to start new daemon with ssl

The cause of the error is an incorrectly assembled certificate chain.

To fix this, delete the certificates completely and then add them again according to the instructions:

1.   Delete the certificates in the platform interface in Control panel address → Certificates button → Delete button.
2.   Connect to the platform via SSH.

3.   Delete the certificates from the /usr/local/mgr5/etc/ directory. You can check the file names in the configuration file /usr/local/mgr5/etc/ihttpd.conf. An example of the listen section with the names of certificate files:

   listen {
   ip 10.10.11.15
   port 1515
   redirect
   certkey etc/ihttpd_cert.key
   cert etc/ihttpd_cert.crt
   cacert /etc/ssl/certs/ipa-ca.pem
   }

   Comment

   In this example, the certificate files are certkey, cert, and cacert lines
4. Add a certificate through the interface: Settings → Control panel address → Certificates button → Add button → choose Existing certificate. The certificate and chain will be sorted automatically.

Symlink_exists when issuing a Let's Encrypt certificate

Attempting to issue a certificate for the platform results in the "Failed to get a Let's Encrypt certificate" error. There is an error in the logs saying that the www/letsencrypt/.well-known/acme-challenge directory already exists:

Type: 'file' Object: 'symlink_exists' Value: 'www/letsencrypt/.well-known/acme-challenge'

The error occurs if the certificate was forcibly deleted. The certificate is automatically re-issued, but if you delete it and then add it again, the system will generate an error that the www/letsencrypt/.well-known/acme-challenge directory already exists.

To solve the problem:

1. Connect to the platform via SSH.

2. Delete the remaining files of the old certificate by means of the commands:

   rm -rf /usr/local/mgr5/etc/scripts/acmesh/ca/
   rm -rf /usr/local/mgr5/etc/scripts/acmesh/my.domain.ru/
   rm -rf /usr/local/mgr5/www/letsencrypt/.well-known/

   Comment

   my.domain.ru — domain for which the certificate is issued
3. Re-issue the certificate.

The certificate is not automatically re-issued

If the certificate is not automatically re-issued, check the /usr/local/mgr5/var/billmgr_acme_sh.log for errors. If there is no information in the log about incorrect behavior or errors, the cause may be an outdated acme.sh script located at /usr/local/mgr5/etc/scripts/acmesh/.

To solve the problem:

1. Connect to the platform via SSH.

2. Check the script version: 

   /usr/local/mgr5/etc/scripts/acmesh/acme.sh --version

3. If the version is lower than v3.0.5, update the script:

   /usr/local/mgr5/etc/scripts/acmesh/acme.sh --upgrade